Access control vulnerabilities¶
Access control (or authorisation) is the application of constraints on whom (or what) can perform attempted actions or access resources that they have requested. In the context of web applications, access control is dependent on authentication and session management.
Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organisational, and legal constraints to a technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.
These are consistently a top OWASP risk and still common because apps with roles (Admin/User/Moderator) often misconfigure checks, APIs & microservices have poorly enforced policies in distributed systems, and for the rest due to custom logic flaws (We assumed …).
Test every endpoint—IDOR is low-hanging fruit:
- Unprotected admin functionality
- Unprotected admin functionality with unpredictable URL
- User role controlled by request parameter
- User role can be modified in user profile
- User ID controlled by request parameter
- User ID controlled by request parameter, with unpredictable user IDs
- User ID controlled by request parameter with data leakage in redirect
- User ID controlled by request parameter with password disclosure
- Insecure direct object references
- URL-based access control can be circumvented
- Method-based access control can be circumvented
- Multistep process with no access control on one step
- Referer-based access control